Pages

Wednesday, December 18, 2013

A while ago the Ontario Ministry of Health and Long-Term Care published this document, which explains how to consume their new SOAP web service. (In favor of Google the exact title is "Technical Specification for Medical Claims Electronic Data Transfer (MCEDT) Service via Electronic Business Services (EBS) Ministry of Health and Long-Term Care"). I have received over a dozen of questions about how to consume this service with WCF. Unfortunately it is not a simple task since the service uses a complex configuration which is not available in any of the built-in WCF bindings. However it is possible to do it with some custom code. Bellow I describe the general scheme for this to work. I know some community members are preparing a simple wrapper for this so I will publish it here once ready.

The Errors
Depending on which path you chose for implementation, the most common error message you are likely to receive is the dreadful:

The incoming message was signed with a token which was different from what used to encrypt the body. This was not expected.

There are other possible errors as well or some consumers may not know where to start.

The Solution1. Since the client needs to send both username token and an X.509 certificate (and sign with the latter) we need to write a code binding:

One thing you want to notice in this code is that it contains the username and password, so change them according to your credentails.
Another thing to notice is that the client certificate is loaded from disk. You could change that to the windows certificate store if you wish. As for the server certificate, you could put any dummy certificate there, including the same one as the client certificate (it will not be used but WCF needs something in this setting).
Also note the EnableUnsecuredResponse=true. It is a key for the next steps.

2. Since the request needs to be signed only (not encrypted) let's configure the contract in reference.cs with the ProtectionLevel attribute:

3. WCF is reluctant to decrypt the response. For this reason we need to do the decryption manually. This is the hardest part but I give most of the code here so hopefully it will be easier. You need to implement a custom message encoder and configure the binding above to use your encoder instead of text message encoder. Read here on how to implement an encoder.

4. You need to override the ReadMessage method of the encoder and decrypt the response message in it.

This code shows how to decrypt a message (not necessarily in the context of an encoder):

This code needs access to your private key so it could extract the session key in the message and it also needs some elements from the response. Once you get the decypted message you can replace the encypted body part in the message provided by the encoder with the decrypted message.

5. The last mission to accomplish in the encoder is to delete the <security> element (and all of its child nodes) from the response message before you return it to WCF. Otherwise WCF will try to decrypt the message which is redundant since we just unencrypted it now (WCF decryption would fail anyway). Remember the EnableUnsecuredResponse flag from step #2? It tells WCF not to expect any security, so stripping the elements out is safe.

Information on some possible errors in this process is available here.

MIME Attachments

Hopefully by now you have a working client. Some of the operations also receive an attachment from the service. This attachment in SwA (Soap with Attachments) which is a MIME format a little different than the MTOM whcih WCF knows about.To extract this attachment you could use some kind of a mime parser library as the first step of your encoder (apply it over the raw bytes from the network). Copy the first MIME part to the Message object (this is the SOAP). The second part will be the attachment which you can keep on the custom encoder as a property or on some other context available to your application code.

Fault Contract
Since there is no formal fault contract in the WSDL you should inspect any incoming soap fault using a custom message inspector.

To sum up, consuming EBS-EDT from WCF is not easy but doable, good luck!

21
comments:

Your approach with the CustomTextMessageEncoder works perfectly (thank-you!) to get a response and decrypt the body inside ReadMessage. Any advice on how to alter the body with the decrypted message? I've replaced the encrypted body with the decrypted value (base64 encoded) and removed the security element, but proxy call always returns a null value (no exception).

Maybe you have overriden the immediate node bellow the body element. You should keep that node and only change its childs. Log the message your encoder returns and compare it to a sample decypted message or to the schema. If you are not sure how to do it drop me a mail yaronn01@gmail.com

You are correct, the decrypted text starts with element "return" which needs to appear as below (and no need to base64 encode). The "getTypeList" call now works with this XML hierarchy returned from ReadMessage:

I am not sure it is possible to do it with the MTOM encoding element (though I heard of someone that claimed to do it). One alternative way is to implement the attachment mechanism yourself with a MIME library. Anyway first you need to see with Fiddler how your request looks like (full HTTP request, with all parts). If you want you can mail me it and I will tell you what you should do differently yaronn01@gmail.com

I can verify Yaron's strategy of doing the MIME encoding without the help of WCF. I have got it to work by removing the SOAP body "content" value and replacing it with an XOP Include element which references the MIME attachments. Bit of work, but doable.

The upload seems to work without encrypting the files. I'm going to start turning encryption on as I don't think they'll allow that in production (?) For the response, we're decrypting this ourselves (both the SOAP body and the file attachments).

Yaron, for the request, any idea whether we should be doing our own encrypting (e.g. upload attachments), or can WCF finally start pulling it's weight :-)

Based on the sample SOAPs that the service authors have provided I don't see a need to encrypt the request attachments. You should be able to pass compliance without it and no reason to change anything after. The request is secured using SSL.

I'm working on developing the interface for the new Ontario EBS. Using your site I have managed to get all the calls working, except for the Upload when I have large files. As mentioned by someone else if the files are under a certain size they can be directly embedded and work. I am working with the SoapWithAttachments encoder sample project to create a MIME message to upload the file. I am getting internal errors as a response from the EBS although my MIME format seems ok.

It may be a lot to ask, but if you find yourself with some free time, my email is jbrierley@opto.com. I can send you code samples and the files I generate if you want the challenge :)

Hi Yaron,I have managed to get the interface almost completely operational with the help of your site. I am hitting the same bottleneck as a previous posted mentioned, being when Upload files exceed a certain size. I am using the CodePlex SoapWithAttachments project as a guide (http://wcfswaencoder.codeplex.com/SourceControl/latest#Microsoft.Austria.WcfHelpers.SoapWithAttachments/SwaEncoder.cs), and seem to get a MIME message constructed, replacing the content with an Xop reference, but am getting an internal error from the EBS.

If you have some free time, my email is jbrierley@opto.com. I can send you code extracts and the xml stream I am generating before the encryption is added on.

Hi Yaron,Thank you so much for this blog article. I was in the dark with ministry's service before reading this article.

I am facing trouble uploading the documents to ministry using uploadMethod. I get this error message "https://204.41.14.78:1441/EDTService/EDTService: cvc-particle 2.1: in element upload of type {http://edt.health.ontario.ca/}uploadData, found (in default namespace), but next item should be resourceType"

Large attachments must use SwA / MTOM and not plain text encoding. However I do not recommend to use the WCF MTOM encoder directly.

The best approach IMO is to implement the attachments by yourself. You can use a library to serialize the MIME (a good one is http://wcfswaencoder.codeplex.com/). So the general scheme would be:

1. Configure WCF to use your custom encoder2. in WriteMessage you serizlize the WCF Message object to string and then load it to some XmlDocument3. using xpath you loop over all the "content" xml elements, convert them from base64 to binary and:3.1 using the above library add them as attachment to the output message3.2 in the soap remove the base64 element and replace it with an xop:include element in the MTOM format with the id of the attachment you gave to the MIME library4. in the end configure the MIME library to use the altered SOAP as the main part

While doing this be careful not to change the SOAP too much (esepcially white spaces) since it is already signed. Consider to use PreserveWhitespace = true when you work with the .Net XML objects.

Just maybe, instead of all this you could inline the certificate after the MTOM encoder does its work, but I always recommend to have as much control as possible over the process.

Hi Yaron,I was implement your solution to getting Resource List. But I'm getting the error An unsecured or incorrectly secured fault was received from the other party..Please! Tell me the solution.ORIf you have any example of code, Please! mail me.